Health Insurance Portability and Accountability Act (HIPAA)
Breaking down HIPAA compliance for independent physicians
What is HIPAA?
The Health Insurance Portability and Accountability Act, more commonly known as HIPAA, is a federal law that governs health-related transactions and procedures to protect patient health information and patient privacy.
Why was HIPAA enacted?
Before HIPAA was signed into law in 1996, only a patchwork of Federal and State laws governed the transfer of personal health information. These laws were inconsistent in their regulation of health information transmission, which resulted in loopholes that allowed personal health information to be transferred for non-medical purposes. HIPAA was therefore created to protect individual patient information and restrict its transfer solely for caring for patients and improving health outcomes.
HIPAA and Electronic Health Records
After the HITECH Act increased the adoption of electronic health records (EHRs), HIPAA Title II became particularly relevant to healthcare providers as it mandates that the HHS establish national standards for processing electronic healthcare transactions and requires healthcare organizations to implement secure electronic systems to protect electronic protected health information (ePHI). Secure electronic systems minimize the possibility of compromising ePHI by protecting against virus infections, hacking breaches, and third parties trying to steal patient health information. Certain steps to take to make your operating electronic systems secure are to encrypt your electronic device and to adjust its settings so that your device goes to screensaver when not in use.
What should independent physicians know about HIPAA compliance?
We understand that it is absolutely critical for physicians to be HIPAA compliant, so Elation Health has developed an electronic health record (EHR) that makes it easy for doctors to keep their practices HIPAA compliant. Here we have summarized the HIPAA regulations that are important for solo practitioners to comprehend.
Below are the parts of HIPAA that matter the most to independent practices:
HIPAA Privacy Rule
The HIPAA Privacy Rule defines protected health information (PHI) as individually identifiable health information that is held or maintained by a covered entity. Covered entities include all health plans, healthcare clearinghouses, and healthcare providers. PHI includes demographic information, information about the patient’s physical or mental condition, genetic information, and information about the patient’s healthcare plan or payment system.
The Privacy Rule mandates that appropriate safeguards be implemented to protect the privacy of PHI. When patient authorization is not obtained, the Privacy Rule sets limits and conditions regarding the use and disclosure of PHI.
The Privacy Rule recommends that covered entities:
- Train employees to ensure that they understand what information may and may not be shared outside of the organization’s security system
- Implement safety checks to maintain the integrity of ePHI and other individual personal identifiers of patients
- Ensure written permission is obtained from the patient before their health data is used for research, marketing, or fundraising purposes
Covered entities should update their patient authorization forms to include the disclosure of immunization records to schools as well as the option of providing an electronic copy if the patient requests it.
The Privacy Rule gives patients the right to examine their health records, obtain a copy of their health records, and request corrections on their health records if necessary. Notices of Privacy Practices (NPP) must be issued to patients to detail the circumstances under which their health data may be used or shared.
HIPAA Security Rule
The Security Rule contains the national standards that must be met in order to protect ePHI. The Security Rule applies to any system or any individual who has access to confidential patient data. Access is defined as having the means to read, write, modify, or communicate ePHI or personal identifiers that may reveal the identity of the patient.
There are three parts of the Security Rule: Technical Safeguards, Physical Safeguards, and Administrative Safeguards. Each aspect comes with a series of regulations, some of which are required for all covered entities, while others are considered “addressable.” An “addressable” regulation is NOT optional, but should be implemented at the covered entity’s discretion as to whether the regulation would be feasible to carry out.
Introducing an “addressable” safeguard will depend on factors such as the covered entity’s risk analysis, risk mitigation strategies, and what security measures are already in place. The decision to not introduce an “addressable” safeguard MUST be documented in writing and include the factors that were considered as well as the results of the risk assessment. If it is not reasonable to implement an “addressable” safeguard, covered entities have the option of proposing an appropriate alternative or not implementing the safeguard at all.
The Technical Safeguards concern the technological systems used to provide access to and protect ePHI. ePHI must be encrypted to the National Institute of Standards and Technology (NIST) http://csrc.nist.gov/groups/STM/cavp/standards.html standards if the ePHI leaves the organization’s internal firewall servers. This ensures the confidentiality of patient information by rendering patient information unreadable, undecipherable, and unusable should a breach occur. After encrypting health data, organizations may select whatever means are most appropriate to:
- Establish access control (required): Establish procedures to govern the release and disclosure of ePHI, including assigning a centrally controlled unique username and PIN code for each user that can access PHI.
- Create a system to monitor ePHI access (required): Install a system to register all attempted access to ePHI and to record what is done with the accessed ePHI.
- Introduce a mechanism to authenticate ePHI (addressable): This is done to uphold the integrity of ePHI and to ensure that it has not been altered or destroyed in an unauthorized manner.
- Implement tools for encryption and decryption (addressable): This guideline pertains to all electronic devices, especially mobile smartphones. To secure ePHI, all ePHI sent beyond an internal firewall must be encrypted.
- Facilitate automatic logoff (addressable): This safety check is meant to prevent unauthorized access to ePHI when a device containing ePHI is accidently left on while not in use.
The Physical Safeguards address the measures needed to physically secure ePHI. These guidelines dictate how workstations and mobile devices should be secured against unauthorized access to ePHI.
- Policies relating to workstation use (required): Practices should devise and implement policy to restrict use of workstations that have access to ePHI and specify protective measures to ensure ePHI security (for example: erecting a screen around a workstation so that workstation cannot be overlooked from an unrestricted area).
- Policies and procedures for mobile devices (required): If mobile devices have access to ePHI, policies must be implemented as to how ePHI can be removed from the mobile device before the ePHI is reused.
- Implement facility access controls (addressable): Procedures to record any person who has physical access to a location containing ePHI must be made in order to prevent theft, tampering, or unauthorized physical access to ePHI.
- Inventory of hardware (addressable): An inventory of all hardware must be maintained and must document the movement of any item. A retrievable exact copy of ePHI must be made before any equipment is moved.
The Administrative Safeguards are the policies and procedures organizations need to adhere to for HIPAA compliance. The Administrative Safeguards aspect of the Security Rule require that a Security Officer and a Privacy Officer be assigned to oversee the protection of ePHI as well as the conduct of the organization’s employees.
One major area of non-compliance is the failure to regularly perform security risk assessments because many covered entities are unaware of this requirement. In the second phase of HIPAA audits, an organization’s risk assessments will be thoroughly inspected for comprehensiveness and efficacy. Risk assessments are not one-time requirements, but must be implemented periodically to ensure continued compliance.
- Introducing a risk management policy (required): Risk assessment must be repeated at regular intervals to maximize security of ePHI. Organizations must introduce a sanctions policy for employees who fail to comply with HIPAA regulations.
- Conducting risk assessments (required): A Security Officer must identify every area where ePHI is used and determine all possible ways in which breaches of ePHI can occur.
- Restricting third-party access (required): Security Officer must ensure that unauthorized parties do not access ePHI and that business partners who have access to ePHI sign the Business Associate Agreement.
- Developing a contingency plan (required): During an emergency, a contingency plan must enable the continuation of critical business processes while ensuring the protection of ePHI. Accessible backups of ePHI and procedures to restore lost data in the event of an emergency must be made.
- Testing of contingency plan (addressable): Contingency plan must be tested periodically to ensure all aspects of contingency plan are in working order.
- Training employees to be secure (addressable): Organizations must introduce training schedules to raise awareness of policies and procedures governing ePHI access and to teach employees how to identify malicious software attacks and malware. All training must be documented.
- Reporting security incidents (addressable): If security incidents can be contained and data retrieved before an incident develops into a breach of HIPAA regulations, no reporting of security incident is needed. If however, a breach of security does occur, employees must follow the HIPAA Breach Notification Rule.
HIPAA Breach Notification Rule
The Breach Notification Rule requires covered entities to inform patients when their PHI has been compromised. If the breach affects more than 500 patients, covered entities must promptly notify the HHS and issue a notice to the media.
Smaller breaches affecting less than 500 patients should ideally be reported to the Office of Civil Rights (OCR) of HHS once the initial investigation has been conducted. The OCR only requires these reports to be made annually.
Breach notifications should include the following:
- The nature of the ePHI involved, including the types of personal identifiers exposed
- The unauthorized person who used the ePHI or to whom the disclosure was made (if known)
- Whether the ePHI was actually viewed or acquired (if known)
- The extent to which the risk of damage has been mitigated
Breach notifications must be made no later than 60 days following the discovery of the breach. When notifying a patient of the breach, the covered entity must inform the patient how they should protect themselves from potential harm, briefly describe what the organization is doing to investigate the breach, and what actions the organizations will take in the future to prevent further breaches and security incidents.
HIPAA Enforcement Rule
Failure to comply with HIPAA regulations and security breaches will result in the following penalties:
- A violation attributable to ignorance can attract a fine of $100 – $50,000.
- A violation which occurred despite reasonable vigilance can attract a fine of $1,000 – $50,000.
- A violation due to willful neglect, which is corrected within thirty days, will attract a fine of between $10,000 and $50,000.
- A violation due to willful neglect, which is not corrected within thirty days, will attract the maximum fine of $50,000.
Fines are calculated based on the number of HIPAA compliance standards violated, the amount of ePHI exposed in a breach, and the risk posed by the exposure during the breach. Penalties can easily reach the maximum fine of $1.5 million per year, per violation category. Violations due to willful neglect can lead to criminal charges being filed. Victims of breach may file for civil lawsuit for any type of violation.
Common Causes for Breach of Security:
Theft or Loss of unencrypted device containing ePHI
– Example: Concentra Health Services was fined more than $1.7 million dollars for the theft of an unencrypted laptop containing ePHI
Lack of proper technology security
– Example: New York and Presbyterian Hospital – Columbia University was fined $4.8 million dollars for lack of firewall
Improper disposal of Personal Health Information
– Example: A Dentist in Indiana was fined $12,000 for improperly disposing medical records
How can Elation Health help you with HIPAA compliance?
Elation is committed to creating a clinical-first, provider-centric EHR to support the physician-patient relationship and to promote outstanding patient outcomes.
At Elation, we know just how important data security is, so we have made it our priority to protect patient security and privacy. Below are some of the features of Elation’s EHR that will help keep practitioners compliant with HIPAA regulations:
It is of utmost importance to keep your health information secure and private. That’s why Elation uses 256-bit encryption, which is double the encryption level required by law. Our EHRs also employ strict user access to ensure that your data does not fall into the wrong hands. Our service is fully HIPAA-compliant and your medical information is always safe with us.
Network and Billing
Elation’s EHR makes it easy for your practice to transfer secure data.
- You can directly send and receive protected data from an extensive HIPAA-compliant network of labs, imaging centers, pharmacies, and billing systems.
- Our EHR allows you to exchange clinical data from health plans and accountable care organizations so you can access your patient’s medical records from hospitals and other medical practices.
- You can also order tests and receive results directly in our EHR, which means less faxing and scanning for your staff.
- Elation’s EHR enables you to connect to any e-prescribing pharmacy in the country and save your patient’s preferred pharmacies. Sending prescriptions from your EMR is a single click away, so you can help get your patients on treatment faster. With our EHR it is easy to add prescription notes, print a patient copy of the script, and refill multiple medications all at once.
- Our billing partners seamlessly integrate into our EHR. If you already have your own billing system, you do not need to change your existing billing processes. Elation’s EHR allows you to print, export, or securely send electronic superbills to your existing internal or external biller.
One special feature of Elation’s EHR is our free online patient portal, which gives you and your patients continual access to secure patient information.
By using HIPAA-compliant messaging, you and your patients can directly converse about their health online, thus allowing your practice to cut down on unnecessary phone calls and appointments. You can send HIPAA-compliant automated text messages, emails, and voicemail recordings to remind patients 2 days before their scheduled visit through our EHR. Our patient portal also allows patient to easily access their allergies, current medications, and other pertinent medical information, which enables them to be proactive with their healthcare. The result from the messaging feature is that your practice will save time and money so that you can focus on providing the best care possible.
By using Elation’s EHR, independent and small practice physicians can trust that their practice will be HIPAA compliant so they can focus on doing what they love best: caring for patients.